How do you secure your Arch install?

Amanda S · 2014-01-24 04:34:35

I never really setup a firewall or any security software on Linux, but a few weeks ago I started getting paranoid with this subject.

On Windows I had:

* Kaspersky Internet Security
* Malwarebytes
* Comodo Internet Security (with it's firewall running along with Kaspersky Firewall)
Not to mention I sometimes would work with 3 VM's (one inside another) on operations I'd call risky. Yeah, I'm THAT paranoid.

On Linux I remember using UFW and setting it to 'deny all incoming' and still everything worked, Steam, Skype etc. But I'm not confident with this "solution", I need something more advanced.

Q: What do you do to secure your Arch install from web attacks? Which software and how did you configured it? Links are more than welcome.

WonderWoofy · 2014-01-24 04:50:02

https://wiki.archlinux.org/index.php/Si … l_firewall

The reason why the internet still worked was because the linux firewall is stateful. See the above article to get an understanding of what that means.

ANOKNUSA · 2014-01-24 18:40:21

If your modem/router has hardware firewall capabilities, give that preference. Otherwise, read the wiki entry WonderWoofy linked to (or, you know, just read it either way, since it's interesting and useful stuff).

0strodamus · 2014-01-24 21:58:05

I'm using iptables and TOMOYO Linux. I use TOMOYO Linux as both an "application firewall" for all applications and as a MAC for Firefox. TOMOYO Linux is impressive - you should give it a try.

ewaller · 2014-01-24 22:44:16

You say, "Web attacks", and this thread has spent a lot of time talking about firewalls. You mentioned firewalls, but you had also mentioned anti-virus / anti scumware tools

If you had said Cyber attacks, I might have responded sooner. To me, "Web" is the subset of stuff you encounter on the world-wide-web; stuff you encounter that exploit browser exploits, Javascript weaknesses, poisoned Acrobat and Flash files, Java applets, etc... Firewalls that let you browse the web won't help with these sort of things.

Firewalls are great at keeping hackers away from open ports. Of course, it you are running a server, you need to poke a hole through that firewall anyway. Run a good external firewall, and most of your problems never reach your machine.

Aside from that, use a layered approach. If you have an open ssh port, rate limit log on attempts. Blacklist IPs that attempt brute force attacks. Think sshguard or fail2ban.
Require ssh keys.

Always use strong passwords. Always use the minimum privileges required to do what you need to do. Never do everyday things as root. I (almost) never log in as root. I never run GUI s as root. If you are doing something you consider to be risky, do it (or launch it) from a restricted shell.

Your idea of a VM is excellent. I am not sure about VMs embedded in VMs -- that seems extreme. Don't give VMs access to you host file systems.

If you are really paranoid, look into a tool like tripwire.
Use a root kit detector like rkhunter.
Limit physical access to your computer.
Always verify the hashes of stuff you install.
Always read the install scripts of stuff from ABS.
Never put '.' in your $PATH
Do not install Wine
Disable Java Applets in your Browser.
Avoid proprietary software -- or anything where you are not allowed to read the source.
Never run as root. (I know, I said that already. But, I am serious)

WonderWoofy · 2014-01-24 22:55:50

I question just how paranoid you actually are if you have gone for any period of time without any thought of security on linux. Linux may be inherently more secure than other operating systems, but you still have to be smart about what you do and don't do.

ANOKNUSA · 2014-01-24 23:44:56

ewaller wrote:

Always use strong passwords.

Use a password manager. These allow you to generate new passwords for all your online accounts, and use your system password to access them. Each of my online accounts has a 15-character "random" password, but I only need to remember one.

ewaller · 2014-01-25 01:04:48

ANOKNUSA wrote:

ewaller wrote:
Always use strong passwords.
Use a password manager. These allow you to generate new passwords for all your online accounts, and use your system password to access them. Each of my online accounts has a 15-character "random" password, but I only need to remember one.

Good point, I forgot that one. Also, turn on two-factor authentication. Even the free version of Last Pass works with Google Authenticate on smart phones. Authenticate generates RSA SecureID six digit non-predictable number sequences that are valid for 30 seconds at a time. You have to know the password and the current RSA number in order to access the password vault.

Slithery · 2014-01-25 09:40:31

You can also set up ssh to use 2-factor ID with libpam-google-authenticator...
http://www.howtogeek.com/121650/how-to- … ntication/

broken pipe · 2014-01-25 10:25:02

i'm using keepassx for managing my passwords, though i've saved them in firefox (protected with a master password). Always generate a unique passwd for each site.
for network security i installed ufw (iptables interface). Basically you define some simple rules without worrying about the right iptables syntax. ufw default deny; ufw allow from 192.168.1.0/24; check the wiki for further information!
Disable all unneeded services (eg apache, sshd, etc.)

w201 · 2014-01-25 14:06:52

According to Cisco, we're becoming so good at locking down our systems, that most of the attacks on the web today are DDOS, more than 80%, that happen over http and tie up system resources. And that says a lot, cuz hackers are going back to DDOS which isn't exactly new.

Apparently a new one is a slow hash attack that fools a server into thinking there's something wrong with a hash and forces it to re-computate it, which can chew up huge amounts of system resources.

Amanda S · 2014-01-26 20:35:47

WonderWoofy wrote:

https://wiki.archlinux.org/index.php/Si … l_firewall
The reason why the internet still worked was because the linux firewall is stateful. See the above article to get an understanding of what that means.

I've been doing as it says, and so far it's working nice. Thanks.

ANOKNUSA wrote:

If your modem/router has hardware firewall capabilities, give that preference. Otherwise, read the wiki entry WonderWoofy linked to (or, you know, just read it either way, since it's interesting and useful stuff).

I'm connected directly to my ISP modem (Motorola SB5101), I don't think it has a firewall. Anyway, I'll buy a router soon.

ewaller wrote:

You say, "Web attacks", and this thread has spent a lot of time talking about firewalls. You mentioned firewalls, but you had also mentioned anti-virus / anti scumware tools

Yes. This thread is supposed to be a multi-topic one.

ewaller wrote:

Firewalls are great at keeping hackers away from open ports. Of course, it you are running a server, you need to poke a hole through that firewall anyway. Run a good external firewall, and most of your problems never reach your machine.

Any suggestions on a good one?

ewaller wrote:

Aside from that, use a layered approach. If you have an open ssh port, rate limit log on attempts. Blacklist IPs that attempt brute force attacks. Think sshguard or fail2ban.
Require ssh keys.

I've blocked all ssh connections.

ewaller wrote:

Always use strong passwords.

I do. My user password contains 19 random characters, such as "AbC123!@#{}>". My Root password follows the same rule, only difference is that it's 31 characters long.

ewaller wrote:

Always use the minimum privileges required to do what you need to do. Never do everyday things as root. I (almost) never log in as root. I never run GUI s as root. If you are doing something you consider to be risky, do it (or launch it) from a restricted shell.

I follow the same principles.

ewaller wrote:

Your idea of a VM is excellent. I am not sure about VMs embedded in VMs -- that seems extreme. Don't give VMs access to you host file systems.

I considered (in the past) possible for an attacker to bypass one VM and jump to another. Well, it could be possible, but why would I personally be targeted? Why such effort in the attacker's side?
That's why I focus into securing the VM as possible. The attacker will face a very strong security on the VM.

ewaller wrote:

If you are really paranoid, look into a tool like tripwire.
Use a root kit detector like rkhunter.
Limit physical access to your computer.
Always verify the hashes of stuff you install.
Always read the install scripts of stuff from ABS.
Never put '.' in your $PATH
Do not install Wine
Disable Java Applets in your Browser.
Avoid proprietary software -- or anything where you are not allowed to read the source.
Never run as root. (I know, I said that already. But, I am serious)

* I do.
* Like disk encryption, for example? I already do. Only the /boot partition is unencrypted. And I keep back-ups of it and the MBR section of my drive. Just in case
* I trust Arch's keyring, specially since I stick with the Official repo's and them only.
* I don't run scripts I didn't made or from 3rd parties I don't trust (eg Canonical or any random user on the internet).
* Why?
* I don't. It's not only against my philosophy, but I don't trust it.
* I do. Also, I only run Flash in VM's. I don't have Flash installed on my host. Hell, I'd use only FOSS if I could, but Steam/NVIDIA/VirtualBOX are CSO.
* The above mentioned are the only proprietary I use on my host. All the rest run on VM's, such as Google Earth, etc.
* I almost never do, unless I explicitly know what I'm doing and re-read what I'm typing. If you're talking about running a software as root, I don't. The only root privileges in my machine are for Dolphin in my desktop, I set it to run as root (becasue I need it sometimes) and I have to type the root password everytime I do so.

WonderWoofy wrote:

I question just how paranoid you actually are if you have gone for any period of time without any thought of security on linux. Linux may be inherently more secure than other operating systems, but you still have to be smart about what you do and don't do.

You're absolutely right.

To see how paranoid I am: https://forums.opensuse.org/showthread. … -good-idea

An example is that I only re-install my systems after zeroing the drive. I'm currently in the process of not doing so, keeping backups of the MBR and other partitions so I can just replace them and manually (via terminal) delete the files I don't want on the other partitions.

ANOKNUSA wrote:

ewaller wrote:
Always use strong passwords.
Use a password manager. These allow you to generate new passwords for all your online accounts, and use your system password to access them. Each of my online accounts has a 15-character "random" password, but I only need to remember one.

Although it's good for people who can't memorize their passwds, I don't use them. I manually create my passwords, usually as:

* take a song I like and look for it's lyrics, For example:

You'll take my life but I'll take yours too

* Extract the first letters of each word. So:

ytmlbityt

* Change some characters to Capital:

yTmlBItyT

* Add some numbers:

1yT4m90lB5I7ty3T2

* Add symbols:

@1%yT}4m>9(0l#B5!I7t*y3)T2=

There you go.
Obviously this is just an example.

herOldMan · 2014-01-26 21:47:51

Here's another strategy for getting random passords:
http://www.random.org/

Awebb · 2014-01-26 23:17:40

Uhh passwords.

All this fuzz about private security is meaningless, once all hardware will be compromised by default.

Amanda S · 2014-01-27 00:03:59

That 'correcthorsebatterystaple' is way less secure then any 16-random-character one. No point in using words as pass-phrases.

Awebb · 2014-01-27 00:54:58

Read that thing again. There are blanks in it. And entropy. Lots of entropy. By the way: The common "your password needs an uppercase, lowercase, numerical and special char" thing in password policies actually reduces entropy, because it is well known, that a lot of companies enforce this by now. It also leads to people forgetting their passwords three times as often (according to internal statistics of three different companies I worked for), which usually leads to a simplification of password recovery guidelines.

The problem has been moved, relevant passwords cannot really be cracked anymore. For example, a PGP (Symantec) encrypted laptop will ask for a WDRT (Whole Disk Recovery Token) after three wrong attempts to enter the password. LDAP/AD will lock an account after three to five wrong attempts (there is even a randomization plugin to prevent massive account farming). If I was in charge, no company would allow a helpdesk to unlock accounts by phone; everybody would have to visit the local IT department and identify themselves by revealing their ID card.

/dev/zero · 2014-01-27 01:59:01

Amarildo wrote:

That 'correcthorsebatterystaple' is way less secure then any 16-random-character one. No point in using words as pass-phrases.

Just because you assert it, doesn't make it so. Please demonstrate the maths. The xkcd gives the maths: which part of the logic do you wish to try and refute?

Amanda S · 2014-01-27 06:00:22

/dev/zero wrote:

Amarildo wrote:
That 'correcthorsebatterystaple' is way less secure then any 16-random-character one. No point in using words as pass-phrases.
Just because you assert it, doesn't make it so. Please demonstrate the maths. The xkcd gives the maths: which part of the logic do you wish to try and refute?

Sure.

xkcd demonstrated a set of 4 words strung together, wihch would eventually fall into a Dictionary Attack.
A set of 16 characters (containing upper-lowercase digits + all 10 numbers + all symbol characters on the number row) is more secure than that particular password or any dictionary password with the same lenght, it all comes to the pool size: The longer the pool (combined with a long size set of characters), the harder it is to crack. So:

correcthorsebatterystaple = 171476^4 = 8.64E20 (864596308417753067776 possible word combinations)

j*3F1A)6!BPo(Q4* = 95^16 = 4,4E31 (44012666865176569775543212890625 possible combinations)

Now, you might say that if you use 26^26 (26 alphabet characters and the password is 26 characters long) it's harder to guess than that 16-bit one. It's probably true, though Dictionary Attacks are far more commonly used (when the attack begins) because people tend to use words/numbers as passwords. If the Dictionary Attack fails, then the attacker passes to other common Brute-Force methods.
Then comparing oranges with oranges:

* 26 character alphabet password: 26^26 = 6156119580207157310796674288400203776 possible combinations

* 26 random character password: 26^95 = 264525812631713602041914824385797270222124944851713745644795112569368725341248692362352020428416901319423278505924879340392549634277376 possible combinations

Considering it's not hard to build a cluster of 25 GPU's that "devour password hashes at up to 348 billion per second" (and can be extended to 125 GPU's), which would you chose? The random character one is always going to be more secure then words put together.

A quote I like to point:

Consider the mathematics:
If you use a password comprised of only the 26 letters in the English alphabet, in lowercase, your pool to choose from is 26.
If you use upper and lower case (and the system can differentiate them),then it's 54.
If you add the 10 digits, it's 64.
Special characters on the number row = 74.
That's a relatively small set of characters, yet an 8 character password made up from those 74 characters makes for 74^8 or about 9E14 combinations.
The total number of words in the English language is difficult to measure (because what constitutes a "word"?), but the Oxford English Dictionary, 2nd edition contains 171,476 unique word definitions.
If we pick 4 of those 171,476 words and string them together with no separator, that's 8.64E20 combinations (allowing for repetition).
Sure, if you *know* the password is 3 words strung together, it's easy to employ a dictionary attack

which would be the first thing to do when you know everybody is not using good passphrases but only a few words instead. Actually, it is today the first thing I would do if I had to brute-force something.

More references:

https://forums.opensuse.org/showthread. … -passwords

http://www.wilderssecurity.com/showthread.php?t=351635

https://forums.opensuse.org/showthread. … -good-idea

https://forums.opensuse.org/showthread. … tem-really

Last edited by Amanda S (2014-01-27 06:27:12)

ewaller · 2014-01-27 07:00:25

The reason you don't want to put '.' in your path. If all of your executable files are in fixed places and are referenced by your $PATH, you can control the directories that contain those files. If you start to cd around a file system, and you've '.' in your path, then you have set it up where you look for an executable relative to where you are in the file system. You cannot control that. Suppose someone managed to slip an executable file into a directory to which they have write permissions, then you happen to change to that directory. What if they named that executable pacman, ip, iw, grep, sudo, etc... and what if the '.' appeared in the path before the directory that contained the real command. If you try to run one of those commands --Poof-- you just ran their code with your permissions. You are pwned.

ewaller · 2014-01-27 07:11:32

Oh, and be careful of VM's (Let's see if this bakes your noodle....). Even though there are concerns about hardware random number generators in processors having been compromised by influence on vendors by the good 'ole NSA, consider this... Inside a VM, that 'hardware' random number generator is completely, 100% pwned by the hyper-visor / emulator / VM layer. They may not be random, they may be logged, they may be sent to a third party. I would be very cautious of encryption performed inside a VM; even other entropy sources could be manipulated.

/dev/zero · 2014-01-27 08:21:38

Amarildo wrote:

Sure. <etc>

Thanks. Good food for thought. I think there is still merit in having password that are easy to remember. As one of the sources you cite point out, if you have all these high strength passwords bound together by a key manager, then an attacker only needs to compromise the key manager. On the other hand, if you're using variants of correcthorsebatterystaple all over the place and each one is different, then only part of your protected information can be compromised at once.

There is also the $5 wrench rule to consider: no matter how strong your password, it can be extracted by anyone at any time through the targeted use of a $5 wrench on sensitive areas of your body. This brings into question how much time should be spent on either memorising crazy random passwords, or else implementing systems to manage crazy random passwords.

Allan · 2014-01-27 09:08:00

Disconnect from the internet.

Jellicent · 2014-01-27 09:15:16

Allan wrote:

Disconnect from the internet.

You could still acquire an infected usb... no? :DDD

skanky · 2014-01-27 09:28:31

Jellicent wrote:

Allan wrote:
Disconnect from the internet.
You could still acquire an infected usb... no? :DDD

Stuxnet (at least) infected air-gapped computers, so yes.

Awebb · 2014-01-27 15:11:26

Again: Brute force attacks are irrelevant unless the target is an encrypted file, hard drive or local user account with no timeouts and second guards (like a proper LDAP setup). All you achieve with strong password requirements is alienating your users and create work for the support crew.

Arch Linux

#1 2014-01-24 04:34:35

How do you secure your Arch install?

#2 2014-01-24 04:50:02

Re: How do you secure your Arch install?

#3 2014-01-24 18:40:21

Re: How do you secure your Arch install?

#4 2014-01-24 21:58:05

Re: How do you secure your Arch install?

#5 2014-01-24 22:44:16

Re: How do you secure your Arch install?

#6 2014-01-24 22:55:50

Re: How do you secure your Arch install?

#7 2014-01-24 23:44:56

Re: How do you secure your Arch install?

#8 2014-01-25 01:04:48

Re: How do you secure your Arch install?

#9 2014-01-25 09:40:31

Re: How do you secure your Arch install?

#10 2014-01-25 10:25:02

Re: How do you secure your Arch install?

#11 2014-01-25 14:06:52

Re: How do you secure your Arch install?

#12 2014-01-26 20:35:47

Re: How do you secure your Arch install?

#13 2014-01-26 21:47:51

Re: How do you secure your Arch install?

#14 2014-01-26 23:17:40

Re: How do you secure your Arch install?

#15 2014-01-27 00:03:59

Re: How do you secure your Arch install?

#16 2014-01-27 00:54:58

Re: How do you secure your Arch install?

#17 2014-01-27 01:59:01

Re: How do you secure your Arch install?

#18 2014-01-27 06:00:22

Re: How do you secure your Arch install?

#19 2014-01-27 07:00:25

Re: How do you secure your Arch install?

#20 2014-01-27 07:11:32

Re: How do you secure your Arch install?

#21 2014-01-27 08:21:38

Re: How do you secure your Arch install?

#22 2014-01-27 09:08:00

Re: How do you secure your Arch install?

#23 2014-01-27 09:15:16

Re: How do you secure your Arch install?

#24 2014-01-27 09:28:31

Re: How do you secure your Arch install?

#25 2014-01-27 15:11:26

Re: How do you secure your Arch install?

Board footer